On September 28, 2018 California Gov. Jerry Brown signed into law two companion bills that regulate cybersecurity standards for Internet of Things (IoT) devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”) require that manufacturers of connected devices sold in California outfit their products with “reasonable” security features by January 1, 2020, the same date the California Consumer Privacy Act will also take effect.
The Bills require a manufacturer of a connected device, to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” The legislation goes on to offer examples of a “reasonable” security feature, such as making the pre-programmed passwords unique to each device manufactured and requiring a new means of authentication before access can be granted to the device for the first time.
Under the new law “manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. A “contract with another person to manufacture” on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. The scope of coverage of the new law applies to the person who manufactures or contracts with someone to manufacture the connected device for sale or offered for sale in California. For example, an electronic retailer such as Best Buy, does not have an obligation to review or enforce compliance with the bills.
According to Gartner, an estimated 20 billion devices will be online by 2020. As the first state or federal law to address IoT security, the California legislation will effectively become a standard for manufacturers of these devices. Currently, the IoT industry is largely self-regulated and governed by best practices as well as the Federal Trade Commission enforcement actions and guidance under its broad authority to police deceptive security practices.
As companies increasingly rely on data to drive business, it is key to incorporate Privacy by Design practices, international laws like the GDPR, and forthcoming domestic legislation into privacy programs. TrustArc has privacy expertise and powerful technology to help your company navigate this increasingly complex landscape – contact us to find out more.
The internet of things is the connection of a broad range of devices using an IP address. It can range from our smart TVs and phones, to our home security systems, thermostats … the list goes on. A popular prediction is that by 2020, the internet of things will comprise no less than 50 billion devices.
With this type of wide adoption, concerns over private data surface – how it is collected, how it is used, and how it may make your organization vulnerable to risk.
Connected cars, having an IP address, are part of the internet of things. Unless anonymized, all data that comes from a car is potentially personal, frequently behavioral, sometimes social, and now with payment systems, sensitive, financial, and reputational as well. As just one example, a connected car could have access to a credit card number, where the data subject drove before and after a purchase, and all of a phone’s contacts. It may also deduce where the data subject lives and works, how they typically drive, and whether the data subject is driving in a particularly erratic manner at a given moment.
Privacy and the Internet of Things: Understanding Risk
To paraphrase a recent TRUSTe Privacy Blog post, as the internet of things technologies advance and companies have greater monetary incentives to process the data, privacy and transparency should be considered. The more connected devices there are, the greater risk that they will be compromised. The FTC report “Internet of Things: Privacy & Security in a Connected World” indicates that fewer than 10,000 households together generate 150 million discrete data points every day.
Anticipating the need for increased vigilance in privacy protection, in late 2014, the Alliance of Automobile Manufacturers (representing almost all car manufacturers) developed and released a set of Consumer Protection Privacy Principles to be incorporated into the privacy policies and statements of car manufacturers.
Now, regulators are increasingly weighing in. When it comes to connected automobiles alone, privacy laws and enforcements are growing. In a keynote presentation at the 2016 Connected Cars conference, FTC Commissioner Terry Sweeney stated that the Commission was watching to ensure that automobiles protect the security and privacy of consumers. France’s data protection authority CNIL released a compliance package which provides guidelines for how to treat the personal data gathered by connected cars. This guideline is intended to be consistent with requirements under the EU General Data Protection Regulation (GDPR) when that law goes into effect next year.
IoT and Unauthorized Disclosure of Data: Incident or Breach?
Like any other privacy incident in which private, protected data is revealed without authorization, an incident involving an IoT device should be analyzed under all applicable breach notification laws and contractual obligations. When conducting a multi-factor risk assessment to determine if an incident meets a breach threshold, keep the following in mind:
- Understand the difference between an incident and a breach, it’s key to determining if your incident requires notification. Making this determination means answering questions such as: how was the data stored, how was it transmitted, were there adequate technical safeguards in place with respect to both… how much risk should be attributed to the recipient? Were they authorized? How likely are they to misuse the data? Are there any administrative or contractual protections on that relationship? After the incident, were there any mitigation measures taken, such as remotely wiping storage media, the changing of credentials, or other measures that could limit or remove further risk exposure?
- Proving consistency in your risk assessment process can help you pass audit – or even avoid coming under scrutiny of audit. Automation tools in incident response provide a consistent process for documenting and profiling the incident, scoring that incident against applicable laws, and generating incident specific notification guidance and decision-support.
- Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.
2017 Privacy Risk Summit Session
For more on the topic of Privacy and the Internet of Things, attendees of the upcoming Privacy Risk Summit are invited to join the session “What's your Wallet? The Privacy and Security of In-Car Payment Systems” on June 6, 2017 from 10:30 – 11:30 AM. A panel that includes K&L Gates attorneys from the US and Europe, a client manufacturer connected car technology and myself will discuss challenges of implementing the new standards imposed by the US Federal Trade Commission, as well as French, German and British data protection authorities. Panelists include:
- Jill Phillips, Sr Attorney, Privacy & Security, Intel
- Julia Jacobson, Partner (Boston Office), K&L Gates LLP
- Claude-Etienne Armingaud, Partner (Paris Office), K&L Gates LLP
- Alex Wall, Senior Counsel & Global Privacy Officer, RADAR, Inc.
Image from autoconnectedcar.com
Connected cars can connect to devices, other cars, or networks that are inside or outside of the car. For example, connected cars can use a driver or passenger mobile device to conduct hands free phone calls. Other examples include: navigation apps, music streaming, or wifi hotspots. Some apps can even use connected cars’ cameras to find open parking spots for drivers. As infotainment centers and features in cars become more advanced, they collect more personal information.
While the examples above show how driving experiences can be enhanced for drivers and passengers, companies can also reap benefits from collecting the data.
Government organizations such as the FTC and the National Highway Traffic Safety Administration (NHTSA) can use connected cars’ data to enhance safety, and protect the environment. One feature that can help protect drivers are vehicle to vehicle communication systems (V2V), which wirelessly exchange information to warn drivers of potential crash risks.
Companies that are developing self-driving cars need to use connected cars’ data to “teach” driverless cars things like how to look for road signs, traffic lights, and lane lines. Information about drivers and passengers can also be used for marketing purposes, such as suggesting places to eat or shop on the car’s usual driving routes. Automakers such as Ford and GM already use car data in conjunction with third parties to offer car drivers special perks and discounts on third party services.
The predictions for connected cars, and more importantly, their data, are overwhelmingly optimistic. A BI Intelligence report on connected cars predicts that over 380 million connected cars will be on the road by 2021. With all of the connected cars comes a lot of connected car data. Fortune magazine predicts that by 2020, autonomous vehicles will generate about 4,000 gigabytes of data a day. According to Intel, that much data would normally be generated by about 3,000 people through use of their PCs, mobile phones and other wearable technology. That data will be monetized. At the LA Auto Show, Intel CEO Brian Krzanich announced that “data is the new oil.”
As new connected car technology advances and companies have greater monetary incentives to process the data, privacy and transparency should be considered. Many car companies operate on a global scale, so it is likely that international privacy regulations, such as the EU GDPR may apply.
Yesterday at the DC Auto Show The Future of Privacy Forum (FPF) and the National Automobile Dealers Association (NADA) released a guide to help consumers understand how new cars might be collecting personal information.
This guide, Personal Data In Your Car, gives examples of the types of data that most cars collect now. Older technology, such as Event Data Recorders (EDRs) have been installed in cars since the 90's. EDRs record technical information about a car before and after a crash. Many new cars contain features such as navigation, blind spot detection, parking assist, and infotainment centers. User recognition technology may even scan a driver's face and automatically adjust seat positioning. To take advantage of these features, however, the cars must collect information about the driver and driving habits.
Taking advantage of these new technologies does not mean that consumers must give up their rights to data privacy. The Guide explains the Automotive Privacy Principles and contains a helpful checklist of steps you can take to protect your privacy when selling or renting a car. The three main commitments of the Principles, which most major automakers have promised to abide by are:
- Transparency – manufacturers will provide you with clear and concise privacy policies.
- Affirmative Consent For Sensitive Data – your consent is required before certain sensitive information is used for marketing or shared with unaffiliated third parties for their own use. This includes three types of data: (1) ”geolocation” (where you are); (2) “biometric” (physical or health information about you or your passengers), and (3) driver behavior data.
- Limited sharing with government and law enforcement – automakers will clearly state the limited circumstances where they may share your information with government authorities and law enforcement.
To learn more about connected cars, check out our previous blog posts: European Commission Comments on Connected Cars and Privacy; Connected Cars and Privacy: The Automobile Industry’s Push for Self-Regulation; The Privacy Implications of Home Monitoring – Summit Preview.
In exchange for technology advances that make our day-to-day lives easier and safer, we are providing more and more personal information.
Connected cars are an example of advances in technology that make our lives easier and safer. Today, cars use networks of internal computers that can use hundreds of sensors to collect information about our driving habits or physical vehicle information.
The European Commission is keeping up with these changes and suggesting ways to ensure that personal data that we provide for the conveniences and improved safety that come along with technology advances are kept safe. It has established the Cooperative Intelligent Transport Systems (C-ITS), which is a multi-stakeholder platform formed to come up with a way to access data in a safe and privacy-friendly way. Additionally, this leaked draft of the Commission’s communication “Building a European Data Economy” discusses “the issues of free flow of data; access and transfer in relation to data; liability and safety in the context of emerging technologies; and portability, interoperability and standards.”
The final document is scheduled to be released this month.
TRUSTe has been at the forefront of the IoT in the context of connected cars as it pertains to privacy. At the TRUSTe Privacy Risk Summit '15, Tim Tobin, Partner, Hogan Lovells; Jill Phillips, Chief Privacy Officer, General Motors; Joe Jerome, Policy Counsel, Future of Privacy Forum discussed “How the Automobile Industry Took the Lead in Industry Self–Regulation”. Additional privacy by Design issues to consider in the IoT context can be found here.
Additionally, if you have questions about your organization’s compliance with data privacy laws such as the EU GDPR, contact us.